PCI Compliance for Passive FTP Ports

Serra

• June 30, 2016 10:42

I'm having an issue with Controlscan showing I'm not compliant for ports open in the firewall for passive FTP. Information From Target: Service: 37557:TCP Server accepted SSL 3.0 RC4 cipher: SSL3_CK_RSA_RC4_128_MD5 Information From Target: Service: 51838:TCP Supported ciphers: DES-CBC-SHA:TLSv1/SSLv3:56-bit RC4-MD5:TLSv1/SSLv3:128-bit RC4-SHA:TLSv1/SSLv3:128-bit These ports are open in for my passive FTP range, which is 36000:55000. However, my ftp is set to HIGH:!TLSv1:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL So, what is responding in this range that isn't Passive FTP, but uses TLSv1 and SSLv3?

• 

  quizknows

  • July 01, 2016 23:09

  Passive ports should only come into play after an FTP connection is attempted/established over port 21... You can check the output of "netstat -lpn" to see any services that are bound to a listening port. You'd be looking under "Active Internet connections" in the "local address" column.

  0
• 

  cPanelMichael

  • July 11, 2016 00:58

  Hello, Were you able to review the output of the netstat command referenced in the previous response to see what's running on those ports? You may also want to consult with Controlscan directly to see if it's a common false positive. Thank you.

  0

Please sign in to leave a comment.